h38fh2mf Posted May 10, 2015 Share Posted May 10, 2015 This is a short guide on how to debug CTDs yourself. What it means is you will try to find out as much information about the crash as possible. First, open Data/SKSE/skse.ini, if it doesn't exist then create it. Add this: [Debug] WriteMinidumps=1 Then wait for the game to crash. Now you will have a crash dump in Documents/My Games/Skyrim/SKSE/Crashdumps For example something like this 2015-05-08_16.26.42.dmp This file is not readable by humans, it's for debugger but you can do online crashdump analysis. Here is one site that does this: https://www.osronline.com/page.cfm?name=analyze Once you submit you will receive a bunch of text, most of this is useless but there are few things that can be helpful to you or someone else. Scroll down a bit and find the line that says: EXCEPTION_RECORD: Below it is the address in code where game crashed exactly. For example: ExceptionAddress: 00d573a8 (TESV+0x009573a8)It means that game was executing code on address 0xD573A8. It also says that the crash occurred in module TESV. If the crash had occurred in any SKSE plugin it would says that DLL name as module instead. Although it's still possible for a crash to be caused by SKSE plugin and happen in TESV module. Now why is this address helpful? 1. Someone else may have the same crash, you can compare what you both have in common to narrow down cause. 2. Someone else may have had the same crash and already solved it. 3. I can look it up in game code to see what happens in the function, maybe it helps you narrow down cause. 4. You can compare if the crashes you are having are the same ones or different. It could also be helpful to catalogue known crashes in a sticky or somewhere. If you post your crash here include at least this information: EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00d573a8 (TESV+0x009573a8) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 3684fc20 00bf2fb8 00000000 16a9a770 3684fde0 TESV+0x9573a8 3684fc50 00000000 00000000 3684fcd4 00786b68 TESV+0x7f2fb8 And everything SKSE related from Loaded Module List. Example: 0c490000 0c577000 SKSE_Elys_Uncapper SKSE_Elys_Uncapper.dll 50e00000 50e80000 nioverride nioverride.dll 51110000 51122000 enbhelper enbhelper.dll 51310000 51332000 showRaceMenu_preCacheKiller showRaceMenu_preCacheKiller.dll 51340000 5140d000 StorageUtil StorageUtil.dll 51bf0000 51c76000 chargen chargen.dll 51c80000 51c96000 SpellInvisibilityPlugin SpellInvisibilityPlugin.dll 51ca0000 51ccb000 SexLabUtil SexLabUtil.dll 51cd0000 51d23000 SchlongsOfSkyrim SchlongsOfSkyrim.dll 51d30000 51d6c000 MfgConsole MfgConsole.dll 51d70000 51d86000 ItemSoulgemPlugin ItemSoulgemPlugin.dll 51f50000 51f66000 ItemPoisonPlugin ItemPoisonPlugin.dll 51f70000 5203a000 skse_1_9_32 skse_1_9_32.dll 52290000 522e3000 FirstPersonPlugin FirstPersonPlugin.dll 522f0000 5236a000 hook hook.dll 52530000 52546000 ItemArrowPlugin ItemArrowPlugin.dll 52550000 52566000 ItemChargePlugin ItemChargePlugin.dll 525b0000 525c6000 AutoLockpickPlugin AutoLockpickPlugin.dll 525d0000 525ef000 DoubleJumpPlugin DoubleJumpPlugin.dll Some reported crashes so far: Offset: 00d573a8 (TESV+0x009573a8) When: loading finished Cause: unknown Result: skeleton is used in one thread while it was just deleted in another Fix: unknown (may help to have less animations installed - guess only), make sure XPMS or XPMSE is not overriden by anything, run FNIS again Related: animation binding, skeleton, string cache Offset: 00a50a3d (TESV+0x00650a3d) [a512a1 in stack] When: unknown Cause: unknown Result: BSFixedString is set to invalid string cache entry which causes a crash when trying to increment its reference count Fix: unknown Related: string cache Offset: xxxxxxxx [nioverride+0xf96b in stack] When: unknown - happens in nioverride module which is a DLL included with RaceMenu mod Cause: unknown, possibly loaded into a cell with decapitated body Result: unknown Fix: unknown, possibly disable decapitations or stop using all mods that require this (racemenu, xpmse etc) Related: Offset: 0068701d (TESV+0x0028701d) When: saving game Cause: mod conflict Result: multiple mods modify same record, in one instance of this crash it was leveled lists Fix: unknown (Azzazzx traced it to Requiem, may vary) Related: saving, BGSSaveLoadManager, mod conflict Offset: 006bac9a (TESV+0x002bac9a) When: unknown Cause: unknown Result: actor has base form set to NULL, reading flags from it causes a crash Fix: unknown Related: Actor, ActorBase Offset: 00abeab4 (TESV+0x006beab4) When: unknown Cause: unknown Result: unknown Fix: unknown Related: NiNode Offset: 0046edf0 (TESV+0x0006edf0) When: unknown Cause: unknown Result: comparing name of NiNode while the name pointer is invalid, possibly searching NiNode by name Fix: unknown Related: NiNode Offset: 008b437c (TESV+0x004b437c) [nioverride+0x838c0 in stack] When: loading save Cause: unknown Result: unknown Fix: unknown Related: script, nioverride, RaceMenu Offset: 00cec5ec (TESV+0x008ec5ec) When: unknown Cause: unknown Result: unknown Fix: unknown Related: rendering, particles Offset: 00bdc33b (TESV+0x007dc33b) When: unknown Cause: unknown Result: unknown Fix: unknown Related: animations Offset: 0046ecf5 (TESV+0x0006ecf5) When: removing clothes, other? Cause: unknown (possibly incompatible skeleton) Result: unknown Fix: unknown (try installing different skeleton and re-running FNIS) Related: skeleton, NiNode Offset: 00d5c69f (TESV+0x0095c69f) [00d6305e in last control transfer] When: unknown Cause: unknown Result: unknown Fix: unknown Related: unknown 1 Link to comment
pinky6225 Posted May 10, 2015 Share Posted May 10, 2015 Is their a performance cost (like with having papyrus logging turned on all the time) if you have this Add this:[Debug]WriteMinidumps=1 Since i think one of the frustrations is that the game performs less well with logging turned on (papyrus) but if you crash with it turned off you are often unable to repeat whatever caused the crash to get a log to provide for debugging Link to comment
h38fh2mf Posted May 10, 2015 Author Share Posted May 10, 2015 No performance cost. It only writes once when the game crashes. Link to comment
Blackness blackness is... Posted May 10, 2015 Share Posted May 10, 2015 hey thanks! i may try this at some point. if serious CTD comeback. Link to comment
pinky6225 Posted May 10, 2015 Share Posted May 10, 2015 No performance cost. It only writes once when the game crashes. cool so a standard SKSE.ini should look like spoiler? [Display] iTintTextureResolution=2048 [General] ClearInvalidRegistrations=1 [Memory] DefaultHeapInitialAllocMB=768 ScrapHeapSizeMB=256 [Debug] WriteMinidumps=1 Link to comment
h38fh2mf Posted May 10, 2015 Author Share Posted May 10, 2015 Yes, now on game crash it will write the file. It's about 70 KB. Link to comment
pinky6225 Posted May 10, 2015 Share Posted May 10, 2015 Yes, now on game crash it will write the file. It's about 70 KB. groovy, thanks for help Okay tried and ran and got the below Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com) Online Crash Dump Analysis Service See http://www.osronline.comfor more information Windows 7 Version 7601 (Service Pack 1) MP (8 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS kernel32.dll version: 6.1.7601.18798 (win7sp1_gdr.150316-1654) Machine Name: Debug session time: Sun May 10 09:09:44.000 2015 (UTC - 4:00) System Uptime: not available Process Uptime: 0 days 0:34:33.000 Kernel time: 0 days 0:04:38.000 User time: 0 days 0:49:45.000 TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\oca.ini, error 2 TRIAGER: Could not open triage file : e:\dump_analysis\program\winxp\triage.ini, error 2 TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\user.ini, error 2 ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\guids.ini, error 2 *** WARNING: Unable to verify timestamp for d3d9.dll *** ERROR: Module load completed but symbols could not be loaded for d3d9.dll *** WARNING: Unable to verify timestamp for hdtHighHeelNative.dll *** ERROR: Module load completed but symbols could not be loaded for hdtHighHeelNative.dll *** WARNING: Unable to verify timestamp for hdtPhysicsExtensions.dll *** ERROR: Module load completed but symbols could not be loaded for hdtPhysicsExtensions.dll *** WARNING: Unable to verify timestamp for XAudio2_6.dll *** WARNING: Unable to verify timestamp for atiumdag.dll *** ERROR: Module load completed but symbols could not be loaded for atiumdag.dll *** WARNING: Unable to verify timestamp for hdtSkyrimMemPatch.dll *** ERROR: Module load completed but symbols could not be loaded for hdtSkyrimMemPatch.dll *** WARNING: Unable to verify timestamp for JContainers.dll *** ERROR: Module load completed but symbols could not be loaded for JContainers.dll TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2 FAULTING_IP: +2645f7 d3b3d4e4 0000 add byte ptr [eax],al EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: d3b3d4e4 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00003d20 Attempt to write to address 00003d20 DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE PROCESS_NAME: TESV.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 00003d20 WRITE_ADDRESS: 00003d20 FOLLOWUP_IP: TESV+2645f7 006645f7 ?? ??? FAULTING_THREAD: 000018e4 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE LAST_CONTROL_TRANSFER: from 006645f7 to d3b3d4e4 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 12f8fefc 006645f7 ce88c640 01b2ecc0 3cdd0000 0xd3b3d4e4 12f8ff88 7672336a cbf28900 12f8ffd4 770892b2 TESV+0x2645f7 12f8ff94 770892b2 cbf28900 65dd8925 00000000 kernel32!BaseThreadInitThunk+0xe 12f8ffd4 77089285 00a4b4a0 cbf28900 00000000 ntdll!__RtlUserThreadStart+0x70 12f8ffec 00000000 00a4b4a0 cbf28900 00000000 ntdll!_RtlUserThreadStart+0x1b SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: tesv+2645f7 FOLLOWUP_NAME: MachineOwner MODULE_NAME: TESV IMAGE_NAME: TESV.exe DEBUG_FLR_IMAGE_TIMESTAMP: 51437ce5 STACK_COMMAND: ~27s; .ecxr ; kb FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_TESV.exe!Unknown BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_tesv+2645f7 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/TESV_exe/1_9_32_0/51437ce5/unknown/0_0_0_0/bbbbbbb4/c0000005/d3b3d4e4.htm?Retriage=1 Followup: MachineOwner was just running through solitude Link to comment
nooblet123 Posted May 11, 2015 Share Posted May 11, 2015 FAULTING_IP: +2645f7 d3b3d4e4 0000 add byte ptr [eax],al If you can get more instructions from the dump, you can search dlls and exe for that code and find out if it's skyrim or a mod causing CTDs. If you have something like SoftIce you can set a breakpoint on that address and debug Bethesda's game for them for free!!! WOOOOOHOOOOOOO!!!! 1 Link to comment
h38fh2mf Posted May 11, 2015 Author Share Posted May 11, 2015 I looked at the crash at the address you posted: 0x6645F7 This is a function where active effect list of an actor is updated by time delta (for example durations are updated and such). One of the effects for you caused invalid virtual table call, not sure why, it would help to see registers but that website analysis doesn't show it. Don't know if any of this is helpful to you or someone. Link to comment
b3lisario Posted May 11, 2015 Share Posted May 11, 2015 I'm interested in this subject. How do you know 0x6645F7 is a function and what it does? Link to comment
h38fh2mf Posted May 11, 2015 Author Share Posted May 11, 2015 All the information comes from reverse engineering. 0x6645F7 is in function 0x664470 where "this" is MagicTarget class.I know that because it's called like this in one place: MagicTarget::unk_664470(&v2->magicTarget, v2, v6, v5); In that function happens this: tList<ActiveEffect*> v5 = (*((int (**)(void))a1->vtable + 7))(); Then all entries in the list are iterated and this is what caused crash: (*(void (__thiscall **)(ActiveEffect *))((void (__thiscall **)(_DWORD))v8->vtable + 2))(v8); I don't know why though, it's possible the entry was a bad pointer. Link to comment
nooblet123 Posted May 11, 2015 Share Posted May 11, 2015 It probably called or jumped to data segment (which is likely all zeroes) because opcode 0000 is really suspicious or eax is not a multiple of 4 in "add byte ptr [eax],al" Link to comment
h38fh2mf Posted May 11, 2015 Author Share Posted May 11, 2015 It isn't a valid address because under FAULTING_IP: it doesn't show module. I looked at the function a bit more and I think it was trying to remove the active effect. Link to comment
b3lisario Posted May 11, 2015 Share Posted May 11, 2015 All the information comes from reverse engineering. 0x6645F7 is in function 0x664470 where "this" is MagicTarget class. I know that because it's called like this in one place: MagicTarget::unk_664470(&v2->magicTarget, v2, v6, v5);In that function happens this: tList<ActiveEffect*> v5 = (*((int (**)(void))a1->vtable + 7))();Then all entries in the list are iterated and this is what caused crash: (*(void (__thiscall **)(ActiveEffect *))((void (__thiscall **)(_DWORD))v8->vtable + 2))(v8);I don't know why though, it's possible the entry was a bad pointer. Awesome. What program do you use to get this? Link to comment
h38fh2mf Posted May 11, 2015 Author Share Posted May 11, 2015 IDA, alternatively you can just debug it and see where it was called from. Link to comment
b3lisario Posted May 11, 2015 Share Posted May 11, 2015 Now I am sad. I tried IDA some time ago and I just couldn't figure it out. I can see the assembly code, but it is pretty much indecipherable for me. Is there any way to turn that into C++ code? like MagicTarget::unk_664470, v2->magicTarget and so Link to comment
nooblet123 Posted May 12, 2015 Share Posted May 12, 2015 probably a hex-rays decompiler plugin for ida Link to comment
trongus Posted May 12, 2015 Share Posted May 12, 2015 I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace. Have you identified that particular ctd in the past? Thanks. Link to comment
h38fh2mf Posted May 12, 2015 Author Share Posted May 12, 2015 I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace. Have you identified that particular ctd in the past? Thanks. It is caused by skeleton. Link to comment
trongus Posted May 12, 2015 Share Posted May 12, 2015 I'm getting exactly same error as you have provided in the example, 00d573a8, with same stack trace. Have you identified that particular ctd in the past? Thanks. It is caused by skeleton. Thanks for quick reply. Then is there a way to locate the skeleton file that is problematic? Link to comment
h38fh2mf Posted May 12, 2015 Author Share Posted May 12, 2015 Not easily, it's most likely the main character skeleton. Link to comment
trongus Posted May 12, 2015 Share Posted May 12, 2015 Not easily, it's most likely the main character skeleton. Hmm.. Since turning off the mods that modifies skeleton.hkx does nothing, so I'd probably need to turn off every mods that messes up with *.hkx. Thanks for the clue! Link to comment
h38fh2mf Posted May 12, 2015 Author Share Posted May 12, 2015 Yea I have the crash too I didn't find a good solution. If you need more information it happens when game deletes skeleton while it is being used in another thread, then the game does something like this: strcmp(skeleton->objName, animationBinding->name) But skeleton's objName is bad pointer or null because it was deleted already. If I block skeleton's deletion then it doesn't help either, the crash just happens elsewhere. Something is handled very badly with the skeleton, I don't know why. Reading the forums a bit some people say to use 2.5 or earlier version of skeleton because 2.7+ caused crash. Don't know if that's true or not. Link to comment
rance Posted May 14, 2015 Share Posted May 14, 2015 This should become a sticky, because this method is way better than the Papyrus to find why a game keeps on crashing Link to comment
h38fh2mf Posted May 14, 2015 Author Share Posted May 14, 2015 Yes, then more people may post their crash logs and we can start to have a list of addresses and what they are related to + what may cause them or how to fix. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now